In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

GIMF used to be one of my favorite sources of raw OSINT regarding various cyber jihadist activities due to its centralized nature and lack of any operational security in place, in particular the ways it was unknowingly exposing their social networks online.

Monday, December 15, 2008

Dear malware spreader, here we meet again. It's been a while since I last wrote to you, half an year ago to be precise. Since I first met you, keeping (automated) track of your phishing campaigns serving old school VBS scripts has become an inseparable part of my daily routine.

I really enjoyed the fact that since then you've changed your email address from ikbaman@gmail.com to ikbasoft@gmail.com and due to its descriptive nature speaking for a software company set up, I can only envy your profitability. However, due to the tough economic times, your latest round of blended with malware phishing emails has to go down. I'm sure you'd understand, as it only took "5 minutes out of my online experience" to notice you, and so I'm no longer interested in processing the /service-peyment/ that you require on the majority of brandjacked subdomains that you keep creating at the very same ns8-wistee.fr.

secureskype.uuuq .com redirects to monybokers.ns8-wistee .fr/skype/cgi-bin/us/security/update-skype/service-peyment/update/login.aspx/index.htmls where the VBS is pushed, with its detection rate prone to improve.

If I were to come across this service last year, I'd be very surprised. But coming across it in 2008 isn't surprising at all, and that's the disturbing part.

Following the ongoing trend of localizing cybercrime (Localizing Cybercrime - Cultural Diversity on Demand; Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new service takes the concept further by introducing a multilingual on demand social engineering service especially targeting scammers and fraudsters that are unable to "properly scam an international financial institution" due to the language limitations. What is the service all about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for a call with increased use of it leading to the usual price discounts falling to $6 per call. The languages covered and the male/female voices available are as follows :

If the service was only advertising male or female English voices, I'd suspect it of being run by a single individual using a commercial voice changer application, however, due to the fact that it's currently offering male and female voices in 5 languages, there's a great chance that these are in fact separate people they're working with. The ugly part is that the whole business model is very well thought of in the sense that given that fact that certain banks or online services can automatically freeze the assets to which the cybercriminal has access to, the service, through its multilingual capabilities can indeed convince the institution in the authenticity of the Spanish caller that's indeed Spanish based on the stolen personal information provided by the cybercriminal in the first place.

Where's the trade-off for cybercriminals? They would have to very specific in order for the service to work, meaning, they would have to use it as a intermediary by sharing data regarding compromised banking accounts, expected courier deliveries obtained through fraudulent means (stolen credit card details), and the service reserves the right not to work with them. Consequently, the people working with the service easily act as the weakest link in the process of exposing ongoing cybercrime or real-life crime activities, and compared to plain simple localization in the sense of translation services, the real nature of the type of conversations and impersonation happening through this one should be pretty obvious to the people offering their natural cultural diversity and voices for sale.

Despite that monetizing social engineering is not new, monetizing (accomplice) voices, and running a social engineering ring definitely is.

Tuesday, December 09, 2008

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points

What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of 7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Thursday, December 04, 2008

Since 100% transparency doesn't exist in any given market no matter how networked and open its stakeholders are, Cybecrime-as-a-Service (CaaS) in the underground marketplace went mainstream with the introduction of- the 76service -- now available in Winter and Spring editions -- followed by a flood of copycats monetizing commodity services on the foundations of proprietary underground tools.

Originally launched as an invite only service where only trusted individuals would be able to take advantage of the malicious economies of scale concept, in August, 2008 copycats ruined the proprietary model of the 76service by tweaking the service and converging it with web malware exploitation kits of their choice. The output? Near real-time access to freshly harvested financial data, which when combined with their aggressive price cutting once again lowers down the entry barriers into this underground market segment.

Start from the basics. Intellectual property theft in the underground marketplace has been a fact for over an year now, with proprietary web malware exploitation kits leaking to the average cybercriminals who after a brief process of re-branding and layout changing, include their very own copyright notice. Upon obtaining the kits for which they haven't a cent/eurocent, it would be fairly logical to assume that they can therefore charge as much as they want for offering on demand access to them, thereby undercutting the prices offered by the experienced market participants. IP theft in the underground marketplace equals a volume sales driven cash cow that messes up the basics of demand and supply that the experienced cybercriminals consciously or subconsciously follow.

Not only is IP theft a reality, but also, among the very latest Zeus crimeware for hire services is charging pocket money for extended periods of time :

"[Q] What is[A] is a mix between the ZeuS Trojan and MalKit, A browser attack toolkit that will steal all information logged on the computer. After being redirected to the browser exploits, the zeus bot will be installed on the victims computer and start logging all outgoing connections.

[Q] How much does it cost?
[A] Hosting for costs $50 for 3 months. This includes the following:

We also host normal ZeuS clients for $10/month.
This includes a fully set up zeus panel/configured binary"

Think cybercriminals in order to anticipate cybercriminals. Would a potential cybercriminal purchase a crimeware kit for a couple of thousand dollars, when they can either rent a managed crimeware service, or even buy a gigabyte worth of stolen E-banking data for any chosen country, collected during the last 30 days? I doubt so, and factual evidence on the increasing number of such services confirms the trend - in 2009 anything cybercrime will be outsourceable.

Tuesday, December 02, 2008

Nothing can warm up the heart of a security researcher better than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

About Me

Cyber Threat Intelligence, Cyber Counter Threat Intelligence, CYBERINT, OSINT and Competitive Intelligence research on demand.
Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day.